Security Policy for Searchality
Introduction
At Searchality, we understand that the security of our customer’s data is of the utmost importance. We take a comprehensive approach to web application security, implementing many measures to protect our application and customers' information. This document will outline the steps we have taken to ensure the safety of the Searchality web application.
Executive Summary
Searchality is committed to providing the highest level of security for our customers. We use industry-standard protocols and technologies to protect sensitive information and prevent unauthorized access. Our security measures include HTTPS, AWS Shield, JWT, Stripe, database security, API testing, sensitive information hashing, role-based access, 2FA, software updates, and logging and monitoring. We also conduct regular security assessments, penetration testing, and continuous monitoring to identify and address vulnerabilities.
HTTPS
Searchality uses HTTPS to encrypt all communication between the client and server to prevent eavesdropping and tampering with data in transit. This ensures that any sensitive information, such as login credentials, personal information, and financial data is protected while in transit. When a user connects to the Searchality website using HTTPS, the following steps occur:
1. The client initiates a secure connection by requesting an SSL/TLS certificate from the server.
2. The server sends its SSL/TLS certificate to the client, which includes the server's public key.
3. The client verifies the certificate and establishes a secure connection by creating a shared secret key, which is used to encrypt all communication between the client and server.
4. The client and server can now securely exchange sensitive information.
AWS Shield
To prevent DDOS attacks, we use AWS Shield to protect our application. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that defends against network and application layer DDoS attacks. This helps to ensure that the Searchality application remains available to customers even in the event of a DDoS attack.
JSON Web Tokens (JWT)
Searchality uses JSON Web Tokens (JWT) for secure user authentication and authorization between the frontend and the API. JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties. JWT tokens are signed with a secret key and verified on the server, ensuring that only authorized users can access the application's resources. This helps to prevent unauthorized access to sensitive information and improves the overall security of the web application.
Payment Processing
Searchality uses Stripe, a PCI-compliant payment processing service, for all payment-related features. This ensures that all sensitive financial information is securely processed and stored in compliance with industry standards.
Database Security
Database connections are allowed only from our EC2 instance using IAM roles, ensuring that only authorized personnel can access the database. This helps to prevent unauthorized access to sensitive customer data stored in the database.
API Testing
We have automatic integration and End-to-End tests in place to prevent data leakage from the API. This includes testing the API for any security vulnerabilities and ensuring that the data stored in the API is properly encrypted and protected.
Sensitive Information Hashing
Searchality hashes all sensitive user information using a secure algorithm such as bcrypt. This ensures that any sensitive data is protected and cannot be accessed in the event of a security breach.
Role-based Access
Access to the application is limited using a role system to ensure that only authorized personnel can access sensitive information. This includes implementing role-based access controls (RBAC) to restrict access to certain application parts to specific roles or users.
Two-Factor Authentication (2FA)
Searchality uses 2FA for admin users to provide an additional layer of security for the highest responsibility roles. 2FA adds an extra layer of protection by requiring a user to provide two forms of authentication, typically a password and a one-time code generated by a device or sent via text or email, before gaining access to the application. This helps to prevent unauthorized access to sensitive information and reduces the risk of a security breach.
Software Updates
We keep all software, including the operating system, web server, and libraries, updated to ensure that any security vulnerabilities are patched. This helps to ensure that the Searchality application is protected against known security vulnerabilities.
Logging and Monitoring
Searchality has implemented logging and monitoring to detect and respond to security incidents in a timely manner. We use a combination of system and application logs, network traffic monitoring, and security event monitoring to detect and respond to security incidents.
Conclusion
At Searchality, we are committed to providing our customers with the highest level of security. We have implemented comprehensive security measures to protect our customers' information and prevent unauthorized access. We will continue to review and update our security measures as needed to ensure the protection of our customers' data.
Risk Management
Searchality has a robust risk management program in place to identify, assess, and mitigate risks to the web application. We regularly review our security measures, identify potential vulnerabilities, and implement appropriate controls to mitigate those risks. Our incident response plan outlines the steps we will take in case of a security incident, and we conduct regular exercises to test and improve the effectiveness of our incident response plan.
Compliance
Searchality adheres to industry-standard compliance standards such as PCI-DSS, SOC2, and HIPAA to ensure the protection of sensitive information. We are committed to meeting the requirements of these standards and regularly review our security measures to ensure compliance.
Incident Response
Searchality has a well-defined incident response plan to handle security incidents. Our incident response plan outlines the steps to be taken in a security incident, including incident detection, incident response, incident recovery, and incident follow-up. We conduct regular incident response exercises to test and improve the effectiveness of our incident response plan.
Continuous Monitoring and Auditing
Searchality continuously monitors and audits its security measures to identify and address vulnerabilities. This includes regular security assessments, penetration testing, and vulnerability scanning to identify and address vulnerabilities in a timely manner.